Is there a way to tell how long a machine has been in an security group?
Machines get added to a security group to prevent them from getting a GPO. I'd like the machines to get removed after 30 days of being in the group. Ideally, I'd like to also be able to generate a report on the machines in the group.
Something like:
MachineA - 10 Days left
MachineB - 29 Days left
Solution 1:
Provided you have a Windows 2012 Domain controller, yes!
Where can we find group membership details?
When you look into the member attribute of an AD group you’ll find a list of all members in distinguished name format. But that’s it. There is no smoking gun or finger prints that tell you how they got there. However, there is a little-known piece of data called replication metadata that can tell us exactly what we need. This data is quite special for groups, because it shows us the date individual members were added and removed. Awesome! But if you try to view it in the GUI it looks like ugly hex.
[...]
The Script
Here is the PowerShell goodness we’ve been awaiting (also attached at the bottom of the post):
Import-Module ActiveDirectory
$username = "janitor"
$userobj = Get-ADUser $username
Get-ADUser $userobj.DistinguishedName -Properties memberOf |
Select-Object -ExpandProperty memberOf |
ForEach-Object {
Get-ADReplicationAttributeMetadata $_ -Server localhost -ShowAllLinkedValues |
Where-Object {$_.AttributeName -eq 'member' -and
$_.AttributeValue -eq $userobj.DistinguishedName} |
Select-Object FirstOriginatingCreateTime, Object, AttributeValue
} | Sort-Object FirstOriginatingCreateTime -Descending | Out-GridView
Solution 2:
The only thing I can think of to solve this is a trick where you use an intermediate group as a dynamic object and then nest that into the primary group so that the user has the permissions conferred to the primary group by way of nested group membership, however, the intermediate group has a TTL (time to live, the entry-TTL attribute) and when that TTL expires, the group will disappear and thus the nested group membership will vanish. Name the temporary group something like "MachineA 30 Day Temporary" or something.
This is referred to as "Dynamic Objects."